diff --git a/userspace/libsinsp/container_engine/container_async_source.tpp b/userspace/libsinsp/container_engine/container_async_source.tpp index 8b3f48ebf6..c02c392da1 100644 --- a/userspace/libsinsp/container_engine/container_async_source.tpp +++ b/userspace/libsinsp/container_engine/container_async_source.tpp @@ -58,6 +58,7 @@ bool container_async_source::lookup(const key_type& key, template bool container_async_source::lookup_sync(const key_type& key, sinsp_container_info& value) { + value.set_lookup_status(sinsp_container_lookup::state::SUCCESSFUL); value.m_type = container_type(key); value.m_id = container_id(key); diff --git a/userspace/libsinsp/container_engine/cri.cpp b/userspace/libsinsp/container_engine/cri.cpp index 0a80afb6e7..3b8d1a3335 100644 --- a/userspace/libsinsp/container_engine/cri.cpp +++ b/userspace/libsinsp/container_engine/cri.cpp @@ -271,7 +271,11 @@ bool cri::resolve(sinsp_threadinfo *tinfo, bool query_os_for_missing_info) * disabling async lookups. */ result.set_lookup_status(sinsp_container_lookup::state::STARTED); + // note: The cache should not have SUCCESSFUL as lookup status at this point, else `parse_container_json_evt` would wrongly exit early. cache->replace_container(std::make_shared(result)); + // note: On the other hand `parse_container_json_evt` expects SUCCESSFUL as lookup state for the incoming container event / + // the not yet cached container, exactly how it was done within `lookup_sync`. + result.set_lookup_status(sinsp_container_lookup::state::SUCCESSFUL); } } diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp index 617cf75c37..638e85b22e 100644 --- a/userspace/libsinsp/parsers.cpp +++ b/userspace/libsinsp/parsers.cpp @@ -5080,11 +5080,22 @@ void sinsp_parser::parse_container_json_evt(sinsp_evt *evt) const Json::Value& lookup_state = container["lookup_state"]; if(check_json_val_is_convertible(lookup_state, Json::uintValue, "lookup_state")) { + container_info->set_lookup_status(static_cast(lookup_state.asUInt())); + switch(container_info->get_lookup_status()) + { + case sinsp_container_lookup::state::STARTED: + case sinsp_container_lookup::state::SUCCESSFUL: + case sinsp_container_lookup::state::FAILED: + break; + default: + container_info->set_lookup_status(sinsp_container_lookup::state::SUCCESSFUL); + } + // state == STARTED doesn't make sense in a scap file // as there's no actual lookup that would ever finish if(!evt->get_tinfo_ref() && container_info->get_lookup_status() == sinsp_container_lookup::state::STARTED) { - SINSP_DEBUG("Rewriting lookup_state == STARTED from scap file to FAILED for container %s", + SINSP_DEBUG("Rewriting lookup_state = STARTED from scap file to FAILED for container %s", container_info->m_id.c_str()); container_info->set_lookup_status(sinsp_container_lookup::state::FAILED); } @@ -5223,41 +5234,13 @@ void sinsp_parser::parse_container_json_evt(sinsp_evt *evt) } } - evt->set_tinfo_ref(container_info->get_tinfo(m_inspector)); - evt->set_tinfo(evt->get_tinfo_ref().get()); - container_info->set_lookup_status(static_cast(lookup_state.asUInt())); - switch(container_info->get_lookup_status()) - { - // Preserve case where lookup_state == STARTED from scap file was set to FAILED - // or otherwise set to false. - case sinsp_container_lookup::state::FAILED: - break; - default: - { - // note: The container image is the most crucial field from a security incident response perspective. - // We aim to raise the bar for successful container lookups. Conversely, pod sandboxes do not include - // a container image in the API response. - if (!container_info->m_image.empty() || container_info->is_pod_sandbox()) - { - // Marked as SUCCESSFUL if and only if the container image field present or - // if it's a pod sandbox container - container_info->set_lookup_status(sinsp_container_lookup::state::SUCCESSFUL); - } else - { - container_info->set_lookup_status(sinsp_container_lookup::state::FAILED); - } - } - } - - // note: Important, only set event filtering flag after all final state updates are done if(!container_info->is_successful()) { SINSP_DEBUG("Filtering container event for failed lookup of %s (but calling callbacks anyway)", container_info->m_id.c_str()); evt->set_filtered_out(true); } - - // `add_container` also triggers the callbacks, therefore always continue even if the - // lookup_status was set to FAILED + evt->set_tinfo_ref(container_info->get_tinfo(m_inspector)); + evt->set_tinfo(evt->get_tinfo_ref().get()); m_inspector->m_container_manager.add_container(container_info, evt->get_thread_info(true)); /* SINSP_STR_DEBUG("Container\n-------\nID:" + container_info.m_id +